End-of-Day report
Timeframe: Freitag 30-04-2021 18:00 - Montag 03-05-2021 18:00
Handler: Dimitri Robl
Co-Handler: Stephan Richter
News
Babuk quits ransomware encryption, focuses on data-theft extortion
A new message today from the operators of Babuk ransomware clarifies that the gang has decided to close the affiliate program and move to an extortion model that does not rely on encrypting victim computers.
https://www.bleepingcomputer.com/news/security/babuk-quits-ransomware-encryption-focuses-on-data-theft-extortion/
Hacker-Wettbewerb Austria Cyber Security Challenge gestartet
Der IT-Security-Wettbewerb für Schüler*innen, Studierende und Interessierte feiert heuer sein 10-jähriges Jubiläum.
https://futurezone.at/digital-life/hacker-wettbewerb-austria-cyber-security-challenge-gestartet/401370374
New Buer Malware Downloader Rewritten in E-Z Rust Language
Its coming in emails disguised as DHL Support shipping notices and is apparently getting prepped for leasing on the underground.
https://threatpost.com/buer-malware-loader-rewritten-rust/165782/
PuTTY And FileZilla Use The Same Fingerprint Registry Keys, (Sun, May 2nd)
Many SSH clients can remember SSH servers' fingerprints. This can serve as a safety mechanism: you get a warning when the server you want to connect to, has no longer the same fingerprint. And then you can decide what to do: continue with the connection, or stop and try to figure out what is going on.
https://isc.sans.edu/diary/rss/27376
Sicherheitslücke Spectre lebt neu auf: AMD- und Intel-Prozessoren betroffen
Ein neuer Seitenkanalangriff zielt auf die Micro-Op-Caches aller modernen CPUs von AMD und Intel ab, Ryzen 5000 und Rocket Lake-S eingeschlossen.
https://heise.de/-6034264
Windows 10: BSI stellt Sicherheitseinstellungen zur Verfügung
Das BSI hat im Rahmen der -Studie zu Systemaufbau, Protokollierung, Härtung und Sicherheitsfunktionen in Windows 10- (SiSyPHuS Win10) Handlungsempfehlungen zur Absicherung der Windows-Systeme in deutscher und englischer Sprache veröffentlicht.
https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2021/210503_SiSyPHuS.html
Tesla Car Hacked Remotely From Drone via Zero-Click Exploit
Two researchers have shown how a Tesla - and possibly other cars - can be hacked remotely without any user interaction. They carried out the attack from a drone.
https://www.securityweek.com/tesla-car-hacked-remotely-drone-zero-click-exploit
Trickbot Brief: Creds and Beacons
-TrickBot malware-first identified in 2016-is a Trojan developed and operated by a sophisticated group of cybercrime actors. The cybercrime group initially designed TrickBot as a banking trojan to steal [...]
https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/
Swiss Cloud becomes the latest web hosting provider to suffer a ransomware attack
Swiss Cloud, a Switzerland-based cloud hosting provider, has suffered this week a ransomware attack that brought the companys server infrastructure to its knees.
https://therecord.media/swiss-cloud-becomes-the-latest-web-hosting-provider-to-suffer-a-ransomware-attack/
Vulnerabilities
Pulse Secure fixes VPN zero-day used to hack high-value targets
Pulse Secure has fixed a zero-day vulnerability in the Pulse Connect Secure (PCS) SSL VPN appliance that is being actively exploited to compromise the internal networks of defense firms and govt agencies.
https://www.bleepingcomputer.com/news/security/pulse-secure-fixes-vpn-zero-day-used-to-hack-high-value-targets/
8 geben: Python-Standard-Library ignoriert das Oktalystem in IP-Adressen
Die Library ipaddress prüft IP-Adressen seit 2019 nicht mehr auf führende Nullen. Ein Patch ist in Sicht, aber noch nicht veröffentlicht.
https://heise.de/-6034508
SQL Injection Vulnerability Patched in CleanTalk AntiSpam Plugin
On March 4, 2021, the Wordfence Threat Intelligence team initiated responsible disclosure for a Time-Based Blind SQL Injection vulnerability discovered in Spam protection, AntiSpam, FireWall by CleanTalk, a WordPress plugin installed on over 100,000 sites. This vulnerability could be used to extract sensitive information from a site-s database, including user emails and password hashes, all [...]
https://www.wordfence.com/blog/2021/05/sql-injection-vulnerability-patched-in-cleantalk-antispam-plugin/
Security updates for Monday
Security updates have been issued by CentOS (bind, GNOME, java-1.8.0-openjdk, java-11-openjdk, nss and nspr, xstream, and xterm), Debian (bind9 and libimage-exiftool-perl), Fedora (ansible, babel, java-11-openjdk, and java-latest-openjdk), Gentoo (chromium, clamav, firefox, git, grub, python, thunderbird, tiff, webkit-gtk, and xorg-server), Mageia (kernel, nvidia-current, nvidia390, qtbase5, and sdl2), openSUSE (Chromium, cifs-utils, cups, giflib, gsoap, libnettle, librsvg, netdata, postsrsd, [...]
https://lwn.net/Articles/855217/
Synology-SA-21:16 ISC BIND
A vulnerability allows remote attackers to obtain sensitive information or conduct denial-of-service attacks via a susceptible version of Synology DNS Server.
https://www.synology.com/en-global/support/security/Synology_SA_21_16
Synology-SA-21:17 Samba
https://www.synology.com/en-global/support/security/Synology_SA_21_17
Epic Games Rocket League 1.95 (AK::MemoryMgr::GetPoolName) Stack Buffer Overrun
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5651.php
Epic Games Psyonix Rocket League v1.95 Insecure Permissions
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5650.php
Security Bulletin: Vulnerability in bind affects IBM Integrated Analytics System
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-affects-ibm-integrated-analytics-system-5/
Security Bulletin: Vulnerability in bind affects IBM Integrated Analytics System
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-bind-affects-ibm-integrated-analytics-system-4/
Security Bulletin: IBM App Connect Enterprise Certified Container may be vulnerable to multiple denial of service through the Node.js runtime
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-certified-container-may-be-vulnerable-to-multiple-denial-of-service-through-the-node-js-runtime/
Security Bulletin: A vulnerability in IBM® SDK, Java- Technology Edition may affect IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sdk-java-technology-edition-may-affect-ibm-cloud-orchestrator-and-ibm-cloud-orchestrator-enterprise-2/
Security Bulletin: Vulnerability in OpenSSL affects IBM Integrated Analytics System
https://www.ibm.com/blogs/psirt/security-bulletin-vulnerability-in-openssl-affects-ibm-integrated-analytics-system-5/
Security Bulletin: Multiple vulnerabilities in IBM® SDK, Java- Technology Edition may affect IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise
https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilities-in-ibm-sdk-java-technology-edition-may-affect-ibm-cloud-orchestrator-and-ibm-cloud-orchestrator-enterprise-2/
Security Bulletin: IBM App Connect Enterprise Certified Container may be vulnerable to a command injection vulnerability (CVE-2021-23337)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-certified-container-may-be-vulnerable-to-a-command-injection-vulnerability-cve-2021-23337/
Security Bulletin: IBM® Db2® is vulnerable to a denial of service (CVE-2020-5024)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-db2-is-vulnerable-to-a-denial-of-service-cve-2020-5024-7/
Security Bulletin: A vulnerability in IBM® SDK, Java- Technology Edition may affect IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise
https://www.ibm.com/blogs/psirt/security-bulletin-a-vulnerability-in-ibm-sdk-java-technology-edition-may-affect-ibm-cloud-orchestrator-and-ibm-cloud-orchestrator-enterprise/
Security Bulletin: IBM App Connect Enterprise Certified Container may be affected by OpenSSL vulnerabilities (CVE-2021-3449 and CVE-2021-3450)
https://www.ibm.com/blogs/psirt/security-bulletin-ibm-app-connect-enterprise-certified-container-may-be-affected-by-openssl-vulnerabilities-cve-2021-3449-and-cve-2021-3450/